Method, Apparatus and Computer Program Product Implementing Anonymous Biometric Matching

ABSTRACT

Method, apparatus and computer program product compare biometrics in an anonymous manner. A first collection of biometrics is transformed using a first cancelable non-invertible biometric transform to create a first collection of transformed biometrics. A second collection of biometrics is transformed using the first cancelable non-invertible biometric transform to create a second collection of transformed biometrics. The first and second collection of transformed biometrics are then compared in the transformed domain to determine if any of the transformed biometrics from the first collection match any of the transformed biometrics from the second collection. If a match is found, the parties respectively maintaining the first and second collections of biometrics exchange information concerning the individual associated with the matching biometrics. In this manner the confidential nature of the biometrics are maintained by the entities responsible for the collections, since the biometrics are not compared in an untransformed state.

TECHNICAL FIELD

The invention generally concerns biometrics for use in identifyingindividuals, and more particularly concerns comparing collections ofbiometrics to find matches in the collections, wherein the biometricsare compared in a transformed manner that preserves their anonymity.

BACKGROUND

Due to the perceived increase in violence in the world, particularlyviolence perpetuated by so-called “terrorists”, there is anever-increasing desire to improve security. Security means the abilityto identify and prevent violent events before the events occur. In orderto identify and prevent violent events, it usually is necessary andoften mandatory, to identify individual who will foment the violence.

This is often a difficult task. A group of individuals undersurveillance may sympathize with terrorists but may have neither thecontacts nor the desire to engage in terroristic activities themselves.The ability to determine whether any members of the group have contactswith terrorists, or are themselves terrorists, is often difficultwithout a positive identification or overt acts preparing orperpetrating terroristic activities. It is a commonplace that terroristsuse aliases and disguises that make positive identification difficult,if not impossible.

One method to positively identify individuals is through biometrics.Biometrics—fingerprints, retinal details, facial appearance, etc.—areunique to individuals and difficult to counterfeit. A problem withbiometrics is that biometrics usually only are collected fromindividuals who already have run afoul of security apparatus or thecriminal justice system. Civil libertarians view widespread collectionof biometrics solely for the purpose of security as an invasion ofprivacy and resist efforts by government to make biometric collectionmandatory.

Nonetheless, those seeking a service from a private entity, often agreeto provide a biometric in exchange for the service such as, for example,an airline flight. Even though the biometrics are provided voluntarily,the individuals providing the biometrics desire that they be used onlyfor limited purposes. In particular, the expectation is that theprovided biometrics will be compared to collections of biometricscollected from individuals who are security threats. Since mostindividuals providing the biometrics in the example airline flightsituation are law-abiding, they have no problem with providing abiometric sample for a limited purpose. Individuals, nonetheless, do notdesire that other entities be able to collect their biometrics and addthem to a permanent collection solely because they desire to take anairline flight, for instance.

Similar concerns arise when a private employer seeks to use biometricsfor employee screening purposes. The private employer does not wish toadd to the permanent collection of, for example, the FBI by providingthe FBI with identity information associated with biometrics forindividuals that the FBI does not have records for. Instead, the privateemployer only desires to know if potential employees have criminalrecords.

There are additional concerns arising from situations where intelligencehas been gathered regarding individuals and subversive groups that posesecurity risks. When security agencies from different countries, or evenwithin a country, seek to exchange information regarding individuals whopose security risks, the agencies are often confronted with problemsassociated with disclosure. For instance, a first security agency mayhave identified a particular individual as a security risk, anddiscloses this information to the second security agency to determine ifthe second security agency knows anything about the activities of theindividual. It may turn out that the individual is unknown to the secondsecurity agency. If the second security agency has been infiltrated bymoles, a mole may tip off the individual that he is known to the firstsecurity agency as a potential security risk. Accordingly, securityagencies are reluctant to disclose lists of individuals for screeningand intelligence gathering purposes to other security agencies becausethe disclosure may be made known to the individuals on the list who canthen change their behavior by, for instance, switching operations to anew country. In addition, if a list is denominated as, for example, “allindividuals from subversive group A known to the first security agencythat pose a threat”, when the list is disclosed to the second securityagency, the mole can identify if anyone from subversive group A hasescaped the attention of the first security agency. Further, there maybe restrictions on the type of information that may be divulged to thesecurity agency of a different country. For example, the country of asecurity agency may not allow biometrics of its citizens to be disclosedto a security agency from another country.

Accordingly, there is an increasing desire for entities that wish to usebiometrics for screening purposes to be able to use them in a mannerthat satisfies their customers. For instance, the entities desiremethods and apparatus that allow them to perform the screening operationwithout serving as an effective collecting apparatus for other entitieswho desire to have a biometric for as many individuals as possible toimprove security.

SUMMARY OF THE INVENTION

A first embodiment of the invention is a method comprising: transforminga first collection of biometrics and a second collection of biometricswith at least one cancelable non-invertible biometric transform;comparing transformed biometrics from the first collection withtransformed biometrics from the second collection; and if a match isfound, recording information identifying the match.

A second embodiment of the invention is an electronic device comprising:at least one memory configured to store at least one computer program;and a processor configured to execute the at least one computer program,wherein when the computer program is executed by the processor, theelectronic device is configured to transform each biometric in a firstcollection of biometrics using at least one cancelable non-invertiblebiometric transform; and to transmit the first collection of transformedbiometrics to a remote entity so that the first collection of biometricscan be compared to a second collection of transformed biometrics.

A third embodiment of the invention is an electronic device comprising:at least one memory configured to store at least one computer program;and a processor configured to execute the at least one computer program,wherein when the computer program is executed by the processor, theelectronic device is configured to receive a first collection oftransformed biometrics, each of the biometrics transformed with at leastone cancelable non-invertible biometric transform to generate atransformed biometric; to transform a second collection of biometricsusing the at least one cancelable non-invertible biometric transform; tocompare the transformed biometrics from the first collection with thetransformed biometrics from the second collection; and to identifytransformed biometrics from the first collection that match transformedbiometric from the second collection.

A fourth embodiment of the invention is a computer program productcomprising a computer readable memory medium tangibly embodying acomputer program, the computer program configured to operate anelectronic device when executed, wherein when executed, the computerprogram is configured to cause the electronic device to transform eachbiometric in a first collection of biometrics using at least onecancelable non-invertible biometric transform; to transmit the firstcollection of transformed biometrics to a remote entity so that thefirst collection of transformed biometrics can be compared to a secondcollection of transformed biometrics, the second collection oftransformed biometrics transformed with the at least one cancelablenon-invertible biometric transform; and to receive a result of thecomparison, wherein the result indicates whether any transformedbiometrics from the second collection of transformed biometrics werefound to match a transformed biometric from the first collection.

A fifth embodiment of the invention is a computer program productcomprising a computer readable memory medium tangibly embodying acomputer program, the computer program configured to operate anelectronic device when executed, wherein when executed the computerprogram is configured to operate the electronic device to receive afirst collection of transformed biometrics, each of the biometricstransformed with at least one cancelable non-invertible biometrictransform to generate a transformed biometric; to transform a secondcollection of biometrics using the at least one cancelablenon-invertible biometric transform; to compare the transformedbiometrics from the first collection with the transformed biometricsfrom the second collection; and to identify transformed biometrics fromthe first collection that match transformed biometrics from the secondcollection.

In conclusion, the foregoing summary of the various embodiments of thepresent invention is exemplary and non-limiting. For example, one orordinary skill in the art will understand that one or more aspects orsteps from one embodiment can be combined with one or more aspects orsteps from another embodiment to create a new embodiment within thescope of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other aspects of these teachings are made more evidentin the following Detailed Description of the Invention, when read inconjunction with the attached Drawing Figures, wherein:

FIG. 1 is a block diagram of a system capable of operating in accordancewith the present invention;

FIG. 2 is a conceptual diagram depicting operation of a method inaccordance with the invention;

FIG. 3 is a conceptual diagram depicting operation of another method inaccordance with the invention;

FIG. 4 is a flowchart depicting a method operating in accordance withthe invention;

FIG. 5 is a flowchart depicting another method operating in accordancewith the invention; and

FIG. 6 is a flowchart depicting a further method operating in accordancewith the invention.

DETAILED DESCRIPTION OF THE INVENTION

Aspects of the invention can be embodied in methods, apparatus andcomputer program products. Before proceeding with a description of themethods of the invention, a description of a networked system configuredin accordance with the invention will be provided.

FIG. 1 depicts the networked system 100. The networked system 100comprises a plurality of servers 110, 130 and 140. Servers 110 comprisea processor 112 for executing programs capable of performing methods inaccordance with the invention; memories 114 for storing computerprograms 116 capable of operating in accordance with the invention;biometrics and associated identity information 118; and networkinterfaces 119. The network interfaces 119 connect the servers 110, 130and 140 to network 120.

Server 130 may comprise a remote source of identity information to beused with biometric information stored in one of the servers 110. Forinstance, an entity for liability reasons associated with the risk ofunintended disclosure may not desire to store the biometric informationand identity information identifying the individuals associated with thebiometric information on the same server. In such a situation, if one ofthe servers were to be “hacked”, a hacker may be able to access both thebiometric information and identity information identifying theindividuals associated with the biometrics, a highly undesirableoutcome. By separately storing the biometric information and theidentity information, a hacker would have to compromise both server 110and server 130, making the possibility of unintended disclosure moreunlikely. Server 140 may store biometric information that can beoperated on by at least one of the servers 110.

The system depicted in FIG. 1 is an exemplary and non-limiting depictionof systems and apparatus capable of operating in accordance with theinvention. One of ordinary skill in the art will understand thatinvention can be practiced in systems that differ from that depicted inFIG.1.

Now having described a system configured in accordance with theinvention, methods in accordance with the invention will be described.In embodiments of the invention single or multiple cancelablenon-invertible biometric transforms are applied to collections ofbiometrics and the transformed biometrics are then compared in thetransform domain. When a match is found, one party can ask for moredetails in the open domain.

As shown in FIG. 2, a first method operating in accordance with theinvention transforms two collections of biometrics 210 and 230 using asingle cancelable non-invertible biometric transform (i.e., allbiometrics in collections 210 and 230 are transformed in the same way)to create transformed collections 220 and 240. A cancelable biometrictransform, when applied to a biometric, creates an intentionaldistortion of the biometric of the same format as the originalbiometric. The distortion is repeatable in the sense that, irrespectiveof variations in recording conditions of the original biometric, itgenerates the same (or very similar) distorted biometric each time. Anon-invertible biometric transform means that the cancelable biometrictransform can not be reversed to reveal the untransformed biometric,thus preserving the anonymity and privacy of the biometric. Cancelable,non-invertible transforms are described in greater detail in U.S. Pat.No. 6,836,534, which is hereby incorporated by reference in its entiretyas if fully restated herein.

Each biometric from collection 220 is then compared to transformedbiometrics from collection 240 until a match is found or until theparticular transformed biometric from the first collection has beencompared to all of the transformed biometrics from the second collectionand no match is found. For each match a record is created identifyingthe match. For events where there is a considerable match, the entitiesinvolved operate in accordance with established protocols depending onrisk. For example, in a situation involving air transport, if the matchcorresponds to an individual who is a known hijacking threat, then thesecurity agency can instruct the airline to alert the local lawenforcement authorities to take the individual into custody.Alternatively, if the individual is not a hijacking threat, butnonetheless is of interest to the authorities, the security agency mayinstruct the airline to take no action, and to provide the securityagency with details about the individual's destination, and possibly asurveillance photograph to record the individual's current appearance.

In a second method depicted in FIG. 3, cancelable non-invertiblebiometric transforms are randomly selected from a collection ofcancelable non-invertible biometric transforms and applied to each ofthe biometrics in collection 310 to create a collection of transformedbiometrics 320 (where each biometric in collection 320 has likely beentransformed with a different cancelable non-invertible biometrictransform). Biometrics in collection 330 are transformed using all thepossible transforms creating collections of transformed biometrics 340for each cancelable non-invertible biometric transform. Then eachtransformed biometric from collection 320 is compared to each biometricgenerated using the various available cancelable non-invertiblebiometric tranforms at least until a match is found or until thebiometric has been compared to all available transformed biometrics andno match is found. If there is a match against any record from any ofthe transformed databases, the original biometric and details will berequested. Note that this is a more expensive solution (computationally)but provides more privacy and security. However, with a large space ofpossible transforms, or a large set of possibilities less than themaximum allowed by the method, the cardinality of Cancelable Transform(CT) List 2 may be prohibitively large.

A third method is similar to the second method depicted in FIG. 3,except a company supplies Cancelable Transformed (CT) List 1 along withan unordered list of all the cancelable non-invertible biometrictransforms used. The size of this list (T1) may be greater, equal to orless than the number of individuals in List 1, but is usually lower thanthis number. For instance, the company who owns List 1 may initially usetransform 1 for all its customers, and only on request, or when theoriginal is compromised, shift to a different transform. This processthen proceeds as in method 2: List 2 is transformed with each of thepossible cancelable non-invertible biometric transforms and a match issought within CT List 1 for each of the transformed versions.

A fourth method is similar to the third method, except the list ofcancelable non-invertible biometric transforms specifies whichcancelable non-invertible biometric transform was used for eachbiometric in the database. Note that since the Cancelable Transforms arenon-invertible, knowing the transform associated with a particular entrydoes not allow an interloper to recover the original biometrics. In thisway privacy is preserved. Knowing which cancelable non-invertiblebiometric transform is needed for each entry of List 1 substantiallyreduces the total number of comparisons needed. In the third method(above) one might have to compare T1*12 transformed probes against agallery of size L1. Here L1 is the cardinality of List 1, L2 is thecardinality of List 2, and T1 is the number of transformed used in CTList 1 (which could be as high as L1). This yields a worst case of L1²*L2 comparisons. By contrast, if the enrollment transform is known foreach individual in List 1, then for each of the T1 transforms L2 probeshave to be compared against only a single record. This leads to a worstcase of L1*L2 comparisons for the forth method. The savings can besignificant, especially since L1 tends to be much larger than L2.

In a fifth method, each record in database List 1 is transformed withthe same cancelable non-invertible biometric transform (say,transform-399), then transformed a second time to generate CT List 1.This works because the cancelable transforms are cascadable—eachgenerates an output in the same format as the input it received.Similarly, each record in watchlist List 2 is also transformed by thesame transform (transform-399 again) to mask its true configuration.Then the first, second, third or fourth technique is used to findsimilarities. The advantage to this is that List 2 can be safelyout-sourced to a third party without revealing its members. The thirdparty can then perform whatever additional transformations are requiredbased on the supplied cancelable non-invertible biometric transformlist, and run all the required matching. The result is a fairlyanonymous statement like “record 5379 in List 1 seems to match record 13in List 2”.

FIGS. 4-6 are flowcharts summarizing methods operating in accordancewith the invention that may be practiced in devices like those depictedin FIG. 1. The method of FIG. 4 starts at 410. Then, at 412, eachbiometric from a first collection of biometrics is transformed using acancelable non-invertible biometric transform. Next, at 414, eachbiometric from a second collection of biometrics is transformed with thecancelable non-invertible biometric transform. Then, at 416, a firstcount is set equal to the number of transformed biometrics in the firstcollection. Next, at 418, a first (or next) transformed biometric isselected from the first collection of transformed biometrics. Then, at420, a second count is set equal to the number of transformed biometricsin the second collection. Next, at 422, a first (or next) transformedbiometric is selected from the second collection. Then, at 424, thefirst (or next) transformed biometric from the first collection iscompared with the first (or next) transformed biometric from the secondcollection. At decision diamond 426, if there is a match, the methodcontinues to 428 where the match is recorded. Later, the entitiescontrolling the respective biometric collections will exchange dataregarding the identity of the individual with the matching biometric.The method continues at 430 when the first count is decremented. If thefirst count is now zero, then this means that all the transformedbiometrics from the first collection have been compared. The method thenstops at 434. If the count is not zero, that means there are remainingtransformed biometrics from the first collection that have to becompared, and the method returns to step 418 to select the nexttransformed biometric from the first collection to be compared to thetransformed biometrics from the second collection. Returning to decisiondiamond 426, if there is no match, the method continues to 436 where thesecond count is decremented. If the second count is determined to bezero at decision diamond 438, this means that the current transformedbiometric from the first collection has been compared to all thetransformed biometrics from the second collection and no match has beenfound. From this point, the method continues to step 430 where the firstcount is decremented. As described previously, if the first count is nowzero, the method stops. Otherwise it returns to step 418 to select thenext transformed biometric from the first collection for comparisonpurposes. Returning to decision diamond 438, if the second count isdetermined to be not equal to zero, this means that there are remainingtransformed biometrics from the second collection that need to becompared to the current transformed biometric from the first collection,so the method returns to step 422.

The method of FIG. 5 is intended to operate in apparatus used by aservice entity like an airline that is not responsible for maintaining asecurity watch list, but instead collects biometrics while providing aservice. The service entity nonetheless would like to have biometricscollected from, for example, passengers, compared to those collectedfrom individuals on the security watch list. It does this bytransferring the biometrics collected from passengers over a network ina system like that depicted in FIG. 1. The collection of biometrics isnot transferred until after the biometrics have been transformed topreserve the anonymity of the biometrics. The method depicted in FIG. 5starts at 510. Then, at 512, each biometric is transformed with acancelable non-invertible biometric transform. Next, at 514, thecollection of transformed biometrics is transferred to an externalentity (for example, a government security agency or law enforcemententity) for comparison to biometrics collected from individuals on asecurity watch list. As described previously, the biometrics may betransferred along with an identification of cancelable non-invertiblebiometric transforms that may have been used to transform thebiometrics. At least one of the identified cancelable non-invertiblebiometric transforms was actually used. Then, at 516, the service entity(for example, airline) receives back a result 516 indicating whether amatch has been found.

The method depicted in FIG. 6 is typical of a method that would beperformed at a security agency or law enforcement entity that iscooperating with service entities (like airlines) that collectbiometrics for security purposes. The method starts at 610. Next, at612, the security agency or law enforcement entity receives a firstcollection of transformed biometrics from the service entity forcomparison purposes. As described previously, the first collection oftransformed biometrics may be accompanied by an identification ofcancelable non-invertible biometric transforms that may have been usedto transform the first collection of biometrics. In such a case, then,at 614, a second collection of biometrics are transformed either using acancelable non-invertible biometric transform known to have been used totransform the biometrics included in the first collection, or using thecollection of transforms identified in the communication received from,for example, the service entity. Next, at 616, a comparison is performedbetween the first collection of transformed biometrics and secondcollection of transformed biometrics. If matches are found, they arereported to the service entity at 618 by the security agency or lawenforcement entity. The method stops at 620.

Thus it is seen that the foregoing description has provided by way ofexemplary and non-limiting examples a full and informative descriptionof the best apparatus and methods presently contemplated by theinventors for implementing anonymous biometric matching. One skilled inthe art will appreciate that the various embodiments described hereincan be practiced individually; in combination with one or more otherembodiments described herein; or in combination with methods andapparatus differing from those described herein. Further, one skilled inthe art will appreciate that the present invention can be practiced byother than the described embodiments; that these described embodimentsare presented for the purposes of illustration and not of limitation;and that the present invention is therefore limited only by the claimswhich follow.

1.-10. (canceled)
 11. An electronic device comprising: at least onememory configured to store at least one computer program; and aprocessor configured to execute the at least one computer program,wherein when the computer program is executed by the processor, theelectronic device is configured to transform each biometric in a firstcollection of biometrics using at least one cancelable non-invertiblebiometric transform; and to transmit the first collection of transformedbiometrics to a remote entity so that the first collection of biometricscan be compared to a second collection of transformed biometrics. 12.The electronic device of claim 11 wherein when the computer program isexecuted the electronic device is further configured to transform eachbiometric in a first collection of biometrics using at least onecancelable non-invertible biometric transform by randomly selecting atransform from a collection of transforms and applying the randomlyselected transform to the biometric.
 13. The electronic device of claim12 wherein when the computer program is executed the electronic deviceis further configured to create a record identifying each cancelablenon-invertible biometric transform used to transform each biometric inthe first collection of biometrics, and to transmit the record to theremote entity.
 14. The electronic device of claim 12 wherein when thecomputer program is executed the electronic device is further configuredto create a record identifying another collection of cancelablenon-invertible biometric transforms that contains at least all of thecancelable non-invertible biometric transforms used to transform each ofthe biometrics in the first collection of biometrics, and to transmitthe record to the remote entity.
 15. The electronic device of claim 11further comprising: a network interface configured to transmit the firstcollection of transformed biometrics over a network to the remoteentity.
 16. An electronic device comprising: at least one memoryconfigured to store at least one computer program; and a processorconfigured to execute the at least one computer program, wherein whenthe computer program is executed by the processor, the electronic deviceis configured to receive a first collection of transformed biometrics,each of the biometrics transformed with at least one cancelablenon-invertible biometric transform to generate a transformed biometric;to transform a second collection of biometrics using the at least onecancelable non-invertible biometric transform; to compare thetransformed biometrics from the first collection with the transformedbiometrics from the second collection, and to identify transformedbiometrics from the first collection that match transformed biometricfrom the second collection.
 17. The electronic device of claim 16wherein each biometric of the first collection of transformed biometricsis separately transformed with a cancelable non-invertible biometrictransform randomly selected from a collection of cancelablenon-invertible biometric transforms, the electronic device furtherconfigured to separately transform each biometric from the secondcollection of biometrics with each of the cancelable non-invertiblebiometric transforms from the cancelable non-invertible biometriccollection of transforms to generate a collection of transformedbiometrics for each biometric from the second collection of biometrics,and to compare each of the transformed biometrics from the firstcollection with each transformed biometric from the second collection atleast until a match is found for each transformed biometric from thefirst collection or until the particular transformed biometric from thefirst collection has been compared to all of the transformed biometricsgenerated from the second collection of biometrics.
 18. The electronicdevice of claim 16 wherein each biometric of the first collection ofbiometrics is separately transformed with a cancelable non-invertiblebiometric transform selected from a collection of cancelablenon-invertible biometric transforms, the electronic device furtherconfigured to receive a record indicating which cancelablenon-invertible biometric transform was used to transform each of thebiometrics from the first collection; to generate a collection oftransformed biometrics for each biometric of the second collection byseparately transforming the particular biometric with each of thecancelable non-invertible biometric transforms used to transform thebiometrics from the first collection; and to compare each transformedbiometrics from the first collection to biometrics from the secondcollection that have been transformed with the same cancelablenon-invertible biometric transform as the transformed biometric from thefirst collection, at least until a match is found or until theparticular transformed biometric from the first collection has beencompared to all of the transformed biometrics generated from the secondcollection of biometrics using the same cancelable non-invertiblebiometric transform as applied to the particular biometric from thefirst collection.
 19. The electronic device of claim 16 furthercomprising: a network interface configured to receive the secondcollection of transformed biometrics over a network from an externalentity.
 20. A computer program product comprising a computer readablememory medium tangibly embodying a computer program, the computerprogram configured to operate an electronic device when executed,wherein when executed, the computer program is configured to cause theelectronic device to transform each biometric in a first collection ofbiometrics using at least one cancelable non-invertible biometrictransform; to transmit the first collection of transformed biometrics toa remote entity so that the first collection of transformed biometricscan be compared to a second collection of transformed biometrics, thesecond collection of transformed biometrics transformed with the atleast one cancelable non-invertible biometric transform; and to receivea result of the comparison, wherein the result indicates whether anytransformed biometrics from the second collection of transformedbiometrics were found to match a transformed biometric from the firstcollection.
 21. The computer program product of claim 20, wherein totransform each biometric in a first collection of biometrics using atleast one cancelable non-invertible biometric transform furthercomprises for each biometric to randomly select a cancelablenon-invertible biometric transform from a collection of transforms andto apply the randomly selected transform to the biometric.
 22. Acomputer program product comprising a computer readable memory mediumtangibly embodying a computer program, the computer program configuredto operate an electronic device when executed, wherein when executed thecomputer program is configured to operate the electronic device toreceive a first collection of transformed biometrics, each of thebiometrics transformed with at least one cancelable non-invertiblebiometric transform to generate a transformed biometric; to transform asecond collection of biometrics using at least one cancelablenon-invertible biometric transform; to compare the transformedbiometrics from the first collection with the transformed biometricsfrom the second collection, and to identify transformed biometrics fromthe first collection that match transformed biometrics from the secondcollection.
 23. The computer program product of claim 22 wherein eachbiometric of the first collection of transformed biometrics isseparately transformed with a cancelable non-invertible biometrictransform randomly selected from a collection of cancelablenon-invertible biometric transforms, and where to transform the secondcollection of biometrics using at least one cancelable non-invertiblebiometric transform further comprises to separately transform eachbiometric from the second collection of biometrics with each of thecancelable non-invertible biometric transforms from the cancelablenon-invertible biometric collection of transforms to generate acollection of transformed biometrics for each biometric from the secondcollection of biometrics.
 24. The computer program product of claim 23wherein to compare the transformed biometrics from the first collectionwith the transformed biometric from the second collection furthercomprises to compare each of the transformed biometrics from the firstcollection with each transformed biometric from the second collection atleast until a match is found for each transformed biometric from thefirst collection or until the particular transformed biometric from thefirst collection has been compared to all of the transformed biometricsgenerated from the second collection of biometrics.
 25. The computerprogram product of claim 22 wherein each biometric of the firstcollection of biometrics is separately transformed with a cancelablenon-invertible biometric transform selected from a collection ofcancelable non-invertible biometric transforms, where the computerprogram when executed is further configured to receive a recordindicating which cancelable non-invertible biometric transform was usedto transform each of the biometrics from the first collection; togenerate a collection of transformed biometrics for each biometric ofthe second collection by separately transforming the particularbiometric with each of the cancelable non-invertible biometrictransforms used to transform the biometrics from the first collection;and to compare each transformed biometrics from the first collection tobiometrics from the second collection that have been transformed withthe same cancelable non-invertible biometric transform as thetransformed biometric from the first collection, at least until a matchis found or until the particular transformed biometric from the firstcollection has been compared to all of the transformed biometricsgenerated from the second collection of biometrics using the samecancelable non-invertible biometric transform as applied to theparticular biometric from the first collection.